How to Identify Entitlements Not Assigned via Roles in SailPoint ISC

sxxnex · March 20, 2026, 5:47am

Hello,

In SailPoint ISC, entitlements can be assigned either:

Automatically through role-based defined assignments, or
Manually (e.g., via access requests).

I would like to identify:

Users who have entitlements not assigned through roles, and
The specific entitlements they hold.

If possible, I also want to limit the scope to a specific source.

Is there a recommended way in ISC (e.g., Search, Reports, or APIs) to achieve this?

Thank you.

amankumargupta · March 20, 2026, 6:58am

From API you can check flag standalone:true if it is not assigned via role

phil_awlings · March 20, 2026, 8:45am

Interesting. @amankumargupta What endpoint are you calling for that?

kallajayaram · March 20, 2026, 9:30am

Hi @sxxnex ,
In Sailpoint iiq you can find this by detected roles ,but In ISC, there is no filter to clearly separate entitlements assigned via roles vs directly, but you can achieve this using API or search.
One approach is to use the Entitlements API / Accounts API and check the assignment type.
If Entitlement/role assigned through Access request ,it will Link as role membership
If it’s directly assigned from backend or target system,it will appear as standalone
Check this via API as
Standalone= true it means directly assigned from backend
Standalone= false assigned via access request

BBR1 · March 20, 2026, 9:50am

Have you tried using

grantedBy/assignmentType in filter and check

rahulb635 · March 20, 2026, 12:21pm

This should work.

Hit the search API with body as below :

{
“indices”: [
“identities”
],
“query”: {
“query”: “*”,
“innerHit”: {
“type”: “access”,
“query”: “standalone:true AND type:ENTITLEMENT AND source.name:\“Active Directory\””
}
},
“includeNested”: true,
“queryResultFilter”: {
“includes”: [
“name”,
“displayName”,
“access.name”,
“access.source.name”
]
}
}

phil_awlings · March 20, 2026, 12:33pm

@rahulb635 Brilliant. That works perfectly, thanks

AsGoyal · March 23, 2026, 6:10pm

Hi @sxxnex ,

You can try generating a preview through search access item certification. The status report should give you only the entitlements solely assigned to users.

Hope this helps.

Carlatto · March 25, 2026, 3:53pm

In my testing, searching using standalone:true only returns entitlements that are not associated with an Access Profile. So if you have Roles that assign entitlements directly, not via Access Profiles, those entitlements will show up as being standalone.

There still seems to be a lot of search issues around finding Entitlements that are directly assigned in Roles.

Also Entitlements that are requestable will show up as Standalone.

rahulb635 · March 25, 2026, 5:50pm

Hi carl,

Agreed with your analysis, for now we can exclude requestable entitlements also.

“query”: “standalone:true AND type:ENTITLEMENT AND NOT requestable:true”

Regarding Roles that assign entitlements directly without AP- you are right.

Topic		Replies	Views
Query on Assigned Roles ISC Discussion and Questions identity-security-cloud , entitlements	4	208	September 24, 2024
Identities with Role Assigned but not the corresponding entitlement ISC Discussion and Questions identity-security-cloud , provisioning , entitlements	2	55	May 10, 2025
Exclude Role-Based Entitlements IIQ Discussion and Questions identityiq , certifications	6	157	July 14, 2025
Best way to get All entitlement assigned to identity cube which are not linked to roles IIQ Discussion and Questions identityiq	5	81	April 12, 2026
Reporting - A breakdown of entitlements by role ISC Discussion and Questions identity-security-cloud , reports	6	182	March 14, 2025

How to Identify Entitlements Not Assigned via Roles in SailPoint ISC

Related topics